Chrome Network - Forbidden - api user

Request URL:
http://127.0.0.1:8000/api/user
Request Method:
GET
Status Code:
403 Forbidden
Remote Address:
127.0.0.1:8000
Referrer Policy:
strict-origin-when-cross-origin
Access-Control-Allow-Credentials:
true
Access-Control-Allow-Origin:
http://localhost:3000
Allow:
GET, HEAD, OPTIONS
Content-Length:
58
Content-Type:
application/json
Cross-Origin-Opener-Policy:
same-origin
Date:
Mon, 11 Mar 2024 22:27:41 GMT
Referrer-Policy:
same-origin
Server:
WSGIServer/0.2 CPython/3.11.5
Vary:
Accept, Cookie, Origin
X-Content-Type-Options:
nosniff
X-Frame-Options:
DENY
Accept:
application/json, text/plain, */*
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.9
Connection:
keep-alive
Host:
127.0.0.1:8000
Origin:
http://localhost:3000
Referer:
http://localhost:3000/
Sec-Ch-Ua:
"Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Mobile:
?1
Sec-Ch-Ua-Platform:
"Android"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
cross-site
User-Agent:
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Mobile Safari/537.36

Chrome Network - OK - api login

Request URL:
http://127.0.0.1:8000/api/login
Request Method:
POST
Status Code:
200 OK
Remote Address:
127.0.0.1:8000
Referrer Policy:
strict-origin-when-cross-origin
Access-Control-Allow-Credentials:
true
Access-Control-Allow-Origin:
http://localhost:3000
Allow:
POST, OPTIONS
Content-Length:
52
Content-Type:
application/json
Cross-Origin-Opener-Policy:
same-origin
Date:
Mon, 11 Mar 2024 22:26:02 GMT
Referrer-Policy:
same-origin
Server:
WSGIServer/0.2 CPython/3.11.5
Set-Cookie:
csrftoken=yO8XukEnOSWYgwYxae4nd7c2OEHF2UQG; expires=Mon, 10 Mar 2025 22:26:02 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie:
sessionid=rbj2ewpg11sx0t7q9j16ika01nk46074; expires=Mon, 25 Mar 2024 22:26:02 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Vary:
Accept, Cookie, Origin
X-Content-Type-Options:
nosniff
X-Frame-Options:
DENY
Accept:
application/json, text/plain, */*
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.9
Connection:
keep-alive
Content-Length:
52
Content-Type:
application/json
Host:
127.0.0.1:8000
Origin:
http://localhost:3000
Referer:
http://localhost:3000/
Sec-Ch-Ua:
"Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Mobile:
?1
Sec-Ch-Ua-Platform:
"Android"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
cross-site
User-Agent:
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Mobile Safari/537.36
@font-palette-values in Elements
The Elements panel now supports and shows a new section in Styles for the @font-palette-values at-rule.
Source map improvements
DevTools now shows you original variable names instead of minified across the Console, conditional breakpoints and logpoints, watch expressions, live expressions, and more.
Enhanced Performance > Interactions track
The Performance > Interactions track gets whiskers that indicate input and presentation delays at processing time boundaries.

Django logs

% python manage.py runserver
Watching for file changes with StatReloader
INFO:django.utils.autoreload:Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
March 11, 2024 - 22:25:02
Django version 4.1.5, using settings 'backend.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
YYY UserLogin
[11/Mar/2024 22:25:09] "POST /api/login HTTP/1.1" 200 52
Forbidden: /api/user
WARNING:django.request:Forbidden: /api/user
[11/Mar/2024 22:25:36] "GET /api/user HTTP/1.1" 403 58
YYY UserLogin
[11/Mar/2024 22:25:42] "POST /api/login HTTP/1.1" 200 52
Forbidden: /api/user
WARNING:django.request:Forbidden: /api/user